Contents

Internet applications are always vulnerable to attacks by various malicious users, abusive bots, and crawlers that can exploit weaknesses in the data security model to gain unauthorized access to important data. SBM is scanned for Web application security as part of the certification process upon each release, and it is thoroughly tested using the following assessments to validate the security of the enterprise data that is stored in the database.

• Cross site scripting (XSS)
• Access control weaknesses
• OS and SQL injection flaws
• Cross site request forgery (CSRF)
• Cookie manipulation
• Hidden field manipulation
• Insecure storage
• Insecure configuration

Any vulnerability that is detected during these tests can be exploited to gain access to sensitive enterprise data and ultimately lead to financial loss. Our development and quality assurance organizations endeavor to expose and resolve these types of potential vulnerabilities during each testing cycle. We take security seriously. We strive to aggressively enhance SBM to safeguard against any new vulnerabilities that are discovered.

Security vulnerabilities will only be reviewed and addressed (cases accepted) after SBM is configured with the following:

• IIS with HTTPS enabled and HTTP disabled
• Tomcat with HTTPS enabled and HTTP disabled
• IIS and TOMCAT must use customer-supplied SSL certificates that you supply
• Notification Server and Mail Client must use SSL
• SSL legacy protocols are not enabled
• SSO URLs are all HTTPS; no HTTP entries
• Integrations must run with trusted certificates for SSO
• All certificates in SBM must be regenerated in SBM Configurator or use additional customer-supplied certificates
• No default certificates installed with SBM may be in use

To configure recommended security settings for SBM, perform the following:

• Replace the default certificates that are installed with SBM by generating new certificates in SBM Configurator. The steps that you perform to secure SBM with new certificates depend on how SBM is installed. For details, refer to “Securing SBM” in the SBM Installation and Configuration Guide or the SBM Configurator help.
• On the SBM Application Engine server, set the Web Application Firewall filter level to Block on the Security | Secure SBM sub-tab in SBM Configurator.
• On each SBM server in your installation:
  • Change SSO keystore passwords on the Security | Secure SSO sub-tab in SBM Configurator.
  • Encrypt SSO configuration files on the Security | Secure SSO sub-tab in SBM Configurator.
  • Enable HTTP secure response headers in the Security | Secure Response Headers sub-tab in SBM Configurator.
    • Enable all of the options that appear.
    • Ensure that anti-click jacking is enabled. For the Load page in frame option, select Allow from the same origin.
  • Disable HTTP and enable HTTPS for IIS and Tomcat. Obtain valid certificates from a well-known Certificate Authority.
• Enable a secure password policy using the options in the Authentication | Password Restrictions sub-tab in SBM Configurator.
• Configure restricted and allowed files types using the DisallowedFileExtensions and MaxFileObjSelections options the TS_SYSTEMSETTINGS table. This enables you to block or allow certain file types, as well as impose a restriction on the number of files that can be added to an item (the recommended limit is 10 files). For details, refer to S143109.

The following fixes and improvements were made in the SBM 11.7.1 release.

• Added FIPS 140-2 Compliance (EPIC 105170)

  For systems that require compliance with the U.S. federal government security standard FIPS 140-2, you can now enable FIPS 140-2 compliance directly in SBM. This ensures that all encryption within SBM uses FIPS 140-2 certified encryption libraries and FIPS 140-2 certified algorithms.

• Improved Encryption (EPIC 105170)

  All encryption performed by SBM was audited and improved to use stronger, more secure algorithms in both FIPS and non-FIPS modes.

• XSS on Attach URL (DEF336098)

  Fixed a potential XSS vulnerability with the Attach URL item action.

• XSS: Do Not Allow Opening Restricted File Attachments (DEF337165)

  Fixed a potential XSS vulnerability related to attached files on work items.

• Access Privileges Issue in Application Repository (DEF336103)

  Fixed a potential security issue that enables a non-administrator to log in to Application Repository.

• Session Management in Application Repository and commonsvc (DEF336103)

  A new session ID is generated upon successful authentication when SSO is disabled.

• Information Disclosure in Theme Import (DEF336108)

  Removed the tempdirectory and tempdirectoryandfile parameters from the authentication error response when importing Work Center themes.

• Global System Setting to Restrict Attachments (ENH338649)

  A DBA can modify the following new entries in the TS_SYSTEMSETTINGS table:

  • DisallowedFileExtensions – A comma-separated list of file extensions that are not valid at the system level. You can use the list to block or allow certain file types.
  • MaxFileObjSelections – Limits the total number of files that can be attached to an item via Add File or via a File Field.

  Refer to S143109 for help with modifying these settings in the database.

• Encryption Algorithm Used in the Application Engine Database (DEF337364)

  The encryption algorithm that is used in the SBM Application Engine database was changed to AES256 in the following areas:

  • TS_DBSOURCES.TS_USERPASSWORD
  • TS_LDAPCONFIGURATIONS.TS_ADMP
  • TS_MAILBOX.TS_PASSWORD
  • TS_WSDESCRIPTIONS.TS_PASSWORD
  • Certain rows in TS_SYSTEMSETTINGS, TS_SYSTEMSETTINGSNAMESPACED with lower(TS_NAME) in ('clientcertsslcallbackauthncertkeypassword','ldapadminpwd','mapipassword','smtpauthpassword','nsexchangepassword','mcexchangepassword')
  • Encrypted values in TSADMINCHANGES and TS_ADMINCHANGESVALUES
  • Fields in primary and auxiliary tables that have the Password option checked

This release also addresses the following potential security vulnerabilities:

• CVE-2019-18942 - Stored XSS
• CVE-2019-18943 - XML External Entity processing
• CVE-2019-18944 - Reflected XSS
• CVE-2019-18945 - Privilege escalation
• CVE-2019-18946 - Session fixation
• CVE-2019-18947 - Information disclosure

Special thanks goes to Alessio Sergi of Verizon Business (Global Security Services) for responsibly disclosing these CVEs.